Cloud Reveal – Scan sub-domains for Host IP


Content Distribution Networks (CDN) like Cloudflare have made internet fast all over the world. Cloudflare’s free tier is enough to make websites faster. It is easy to set up your domain which use content distribution networks for static content distribution. It allows users to set up applications, firewall, analytics, DNS, and page rules in addition to CDN. But this doesn’t come with downsides, if the CDN goes offline, your website goes down with it. Cloudflare has had technical problem which led to downtime throughout the world.

I decided to find a way to resolve the domain to their original IP. If you can find the original IP of the site’s host, you can receive content from the source bypassing the CDN. Our analysis show that this doesn’t work every time as domain fail to load with their host IP because of shared SSL certificates from Cloudflare.

There are few ways to find the host IP of the website. It includes checking the historic IP records or checking its sub-domains for possible IP leak. There may be other sophisticated methods out there that I do not know. Here I made a python scanner to check sub-domains.The code is made for personal research, however you are free to modify it.

Test for Google domain using cloud reveal

The tool we are going to be using is CDNReveal. It scans through multiple subdomains from a list in attempt to find one that the website owner may have made exempt from CDN. Website administrators use subdomains to access web services like mail, control panel, and files. It exploits a choice of the domain user to let some sub-domains bypass the CDN.As a user sets up a domain with Cloudflare, it enumerates the domains’ sub domains. The user decides which DNS records should pass through Cloudflare. Users may choose to bypass the CDN for few sub-domains as domain names are easier to remember. Some of these sub-domains include mail, ftp, cPanel, and others.

The tool is a Python script and you can use the ‘-d’ argument for the domain. A typical command would look like:


The results shown from the scan show the sub domain scanned, its IP, host-name, and ASN. If the domain is using an CDN, you can figure it out through the ASN name displayed for the IP. The first sub-domain ‘WWW’ is likely to be on the cloud network. Subsequent sub-domains scans will show if it doesn’t match the IP for previous subdomains. It may find multiple subdomains on different IP, you will have to figure out which one hosts the actual domain.

The script can get subdomains of a domain found by VirusTotal using its API. But it isn’t used for CDN reveal at the moment. I would like to implemented it some day. You can get the sub-domains with the file.

$ -d

After you find the different IP used by the different sub-domains. Point the domain to the specific IP on the host file of your operating system. If the website loads without problems, you have found its real host IP.

Previous articleMalaysian-Sabahan-Sarawakian and Singaporean hikers to Mt.Annapurna Base Camp
Next articleRaccoon is a free APK downloader for Windows/Mac/Linux